个人中心
gpt4 book ai didi

php - 通过未加密的 JSON 发送人名的足够安全的方法

转载 作者:行者123 更新时间:2023-11-29 18:06:36 25 4
gpt4 key购买 nike

我即将完成为本地一家健身房开发的应用程序,由于我的测试接近完成,并且版本 1 即将完成,我开始考虑保护该应用程序免受任何 MITM 类型的攻击。虽然我知道有人甚至想要 MITM 这个应用程序(而不是银行应用程序)的机会几乎为零,但我仍然希望在安全方面采取一些积极主动的态度。

虽然该应用程序不发送/接收任何用户信息(来回发送的数据是体重、次数、时间、用户签到的类(class)名称等),但我正在传输所有活跃用户的姓名健身房成员(用于自动完成文本框)。我想加密名称,但我发现很难将我的代码从 HTTP 更改为 HTTPS。我的服务器上有 HTTPS 和自签名证书,但似乎无法让 android 端工作(在 eclipse 中保持没有对等证书错误)。作为解决方法,我考虑过使用 AES128 来加密/散列每个名称,然后在手机上对其进行解密,然后在通过 PHP 将数据发回数据库时同样执行相同的操作。

这是否足以替代加密整个 session ?称之为“Lazy SSL”,就好像有人得到了 key ,他们就能够解密数据,但同样,我们只传输名称,没有其他用户信息。

这是我正在使用的未加密代码(我省略了不必要的东西以使这个 block 更小):

public JSONObject makeHttpRequest(String url, String method, List<NameValuePair> params) {

        if (method == "POST") {
            // request method is POST
            // defaultHttpClient
            DefaultHttpClient httpClient = new DefaultHttpClient();
            HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            HttpResponse httpResponse = httpClient.execute(httpPost);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        }

这是一个更大的用于解析 Json 的类: My entire JSONParser class

我在需要向服务器拉取数据或向服务器发送数据的地方调用此类,例如:

final JSONParser jsonParser = new JSONParser();

    final List<NameValuePair> params = new ArrayList<NameValuePair>();
    params.add(new BasicNameValuePair("tag", Globals.TAG_GETMEMBERS));
    params.add(new BasicNameValuePair("LastRow", lastRow));
    // getting JSON string from URL
    final JSONObject json = jsonParser.makeHttpRequest(
            Globals.WEBSERVICE_URL, "POST", params);

使用各种资源:

How to enable a self-signed certificate for SSL sockets on Android?

http://randomizedsort.blogspot.com/2010/09/step-to-step-guide-to-programming.html

我能够得到一些有用的东西,我最初尝试使用“信任所有证书”方法,但由于这很容易受到中间人攻击,我宁愿不使用它(而且它不起作用。使用第二个链接我'到目前为止,我已经重新生成了证书,我已经下载了充气城堡 jar (

我还使用以下命令生成了一个 keystore ,并将其导入到我的项目中:

keytool -genkey -dname "cn = smashwebserver, ou=Development Team, o=Smash Gyms, L=Sunnyvale, s=California, c=US" -alias ssltest -keypass ssltest -keystore c:\dell\ssltest.keystore -storepass ssltest -validity 180

keytool -export -alias ssltest -keystore c:\dell\ssltest.keystore -file c:\dell\ssltest.cer -storepass ssltest -keypass ssltest

keytool -import -alias ssltestcert -file C:\dell\ssltest.cer -keypass ssltestcert -keystore "C:\Users\Evan Richardson\workspace\SmashGyms\res\raw\ssltestcert" -storetype BKS -storepass ssltestcert -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "C:\Users\Evan Richardson\workspace\SmashGyms\libs\bcprov-jdk15on-147.jar"

生成的 JSONParser 类 block 如下所示:

if (method == "POST") {

            // Load the self-signed server certificate
            char[] passphrase = "ssltest".toCharArray();
            KeyStore ksTrust = KeyStore.getInstance("BKS");
            ksTrust.load(context.getResources().openRawResource(
                    R.raw.ssltestcert), passphrase);
            TrustManagerFactory tmf = TrustManagerFactory
                    .getInstance(KeyManagerFactory.getDefaultAlgorithm());
            tmf.init(ksTrust);

            // Create a SSLContext with the certificate
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(),
                    new SecureRandom());

            // request method is POST
            // defaultHttpClient
            DefaultHttpClient httpClient = new DefaultHttpClient();
            HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            HttpResponse httpResponse = httpClient.execute(httpPost);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        }

但是现在我收到以下错误:

10-29 11:55:28.470: W/System.err(9561): java.io.IOException: Wrong version of key store.

我查看了该错误,并在此处找到了可能的解决方案:Android bouncy castle: IOException

我已经下载了 145 版本的 bouncycaSTLes Jar,并使用了它。这修复了 ioexception 错误,但现在我得到以下信息:

10-29 12:21:57.536: W/System.err(12506): Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x10b9a10: Failure in SSL library, usually a protocol error
10-29 12:21:57.536: W/System.err(12506): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (external/openssl/ssl/s23_clnt.c:683 0x4026dced:0x00000000)
10-29 12:21:57.536: W/System.err(12506): return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
10-29 12:21:57.586: W/System.err(12506): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

奇怪的是,如果我将 url 更改为“https://google.com”,我不会收到任何错误,只有以下错误:

10-29 14:03:50.198: V/httpresponsetag:(17810): <!DOCTYPE html>
10-29 14:03:50.198: V/httpresponsetag:(17810): <html lang=en>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <meta charset=utf-8>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
10-29 14:03:50.198: V/httpresponsetag:(17810):   <title>Error 405 (Method Not Allowed)!!1</title>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <style>
10-29 14:03:50.198: V/httpresponsetag:(17810):     *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
10-29 14:03:50.198: V/httpresponsetag:(17810):   </style>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <p><b>405.</b> <ins>That’s an error.</ins>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <p>The request method <code>POST</code> is inappropriate for the URL <code>/</code>.  <ins>That’s all we know.</ins>

这可能表明它实际上是我的自签名证书,但如果我打开 https:servername,它就可以工作(当然有默认警告)

编辑:

即使接受所有证书,我也遇到了同样的错误,所以我用我正在使用的主机名在浏览器中查看,同样的错误。然后我查看了路由器上的 NAT 设置...我正在转发到端口 80,而不是 443。失败。更改为 443,现在看起来它正在工作,至少接受所有证书和以下代码:

public JSONObject makeHttpRequest(String url, String method,
        List<NameValuePair> params) throws NoSuchAlgorithmException,
        CertificateException, NotFoundException, KeyStoreException,
        KeyManagementException {

    // Making HTTP request
    try {

        // check for request method
        if (method == "POST") {

            // request method is POST
            // defaultHttpClient

            // Create a trust manager that does not validate certificate chains
            TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }

                public void checkClientTrusted(
                        java.security.cert.X509Certificate[] certs,
                        String authType) {
                }

                public void checkServerTrusted(
                        java.security.cert.X509Certificate[] certs,
                        String authType) {
                }
            } };

            // Install the all-trusting trust manager
            try {
                SSLContext sc = SSLContext.getInstance("SSL");
                sc.init(null, trustAllCerts,
                        new java.security.SecureRandom());
                HttpsURLConnection.setDefaultSSLSocketFactory(sc
                        .getSocketFactory());
            } catch (Exception e) {
            }

            // Now you can access an https URL without having the certificate in the truststore

            HttpClient client = new DefaultHttpClient();
            client = this.sslClient(client);
            HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            // Log.v(TAG, EntityUtils.toString(result.getEntity()));

            HttpResponse httpResponse = client.execute(httpPost);
            // Log.v("httpresponsetag:", EntityUtils.toString(httpResponse
            // .getEntity()));
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        }

最佳答案

忘记重新发明惰性 SSL 或其他什么。只需使用 SSL 并修复您的代码。并且不要关闭证书验证并信任所有证书。使用自签名证书并不是特别困难,发布您尝试过的内容,人们会为您指明正确的方向。通常你需要:

  1. 拿到证书
  2. 将其放入您应用的原始资源中
  3. 读取它并用它初始化一个 KeyStore
  4. 将其传递给您的 SSL 套接字工厂
  5. 使用 4 中的套接字工厂初始化您的 HTTP 客户端。

如果你正在使用HttpClient,这是如何做到的,重点是注册SSLSocketFactory:

KeyStore ts = KeyStore.getInstance("BKS");
InputStream in = getResources().openRawResource(R.raw.mytruststore);
ts.load(in, TRUSTSTORE_PASSWORD.toCharArray());

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", PlainSocketFactory
                .getSocketFactory(), 80));
SSLSocketFactory sslSocketFactory = new SSLSocketFactory(ts);
schemeRegistry.register(new Scheme("https", sslSocketFactory, 443));
HttpParams params = new BasicHttpParams();
ClientConnectionManager cm = 
    new ThreadSafeClientConnManager(params, schemeRegistry);

HttpClient client = new DefaultHttpClient(cm, params);

查看更多示例、示例项目和一些背景信息:http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html

关于php - 通过未加密的 JSON 发送人名的足够安全的方法,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13116129/

25 4 0
文章推荐: android - layout_margin 未从包含的 ImageView 继承
文章推荐: android - 在 Android 中使用 PhoneGap 选择图像/视频
文章推荐: android:configChanges 选项-Android
文章推荐: Android:自定义照片尺寸
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com